]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/rsa/rsa_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add ossl_rsa symbols
[thirdparty/openssl.git] / crypto / rsa / rsa_lib.c
CommitLineData
2039c421 1/*
4333b89f 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6 3 *
2a7b6f39 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
d02b48c6
RE		 8 */
9
c5f87134
P		 10/*
11 * RSA low level APIs are deprecated for public use, but still ok for
12 * internal use.
13 */
14#include "internal/deprecated.h"
15
ec577822 16#include <openssl/crypto.h>
89abd1b6
MC		 17#include <openssl/core_names.h>
18#include <openssl/engine.h>
19#include <openssl/evp.h>
da9988e0 20#include <openssl/param_build.h>
b39fc560 21#include "internal/cryptlib.h"
cd420b0b 22#include "internal/refcount.h"
25f2138b 23#include "crypto/bn.h"
25f2138b 24#include "crypto/evp.h"
c3a4fa4c 25#include "crypto/rsa.h"
55f02cb6 26#include "crypto/security_bits.h"
706457b7 27#include "rsa_local.h"
d02b48c6 28
b4250010 29static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx);
afb638f1 30
f844f9eb 31#ifndef FIPS_MODULE
6b691a5c 32RSA *RSA_new(void)
0f113f3e 33{
afb638f1 34 return rsa_new_intern(NULL, NULL);
0f113f3e 35}
ce8b2574 36
29c1f061 37const RSA_METHOD *RSA_get_method(const RSA *rsa)
0f113f3e
MC		 38{
39 return rsa->meth;
40}
cb78486d
GT		 41
42int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
0f113f3e
MC		 43{
44 /*
45 * NB: The caller is specifically setting a method, so it's not up to us
46 * to deal with which ENGINE it comes from.
47 */
48 const RSA_METHOD *mtmp;
49 mtmp = rsa->meth;
50 if (mtmp->finish)
51 mtmp->finish(rsa);
0b13e9f0 52#ifndef OPENSSL_NO_ENGINE
7c96dbcd
RS		 53 ENGINE_finish(rsa->engine);
54 rsa->engine = NULL;
0b13e9f0 55#endif
0f113f3e
MC		 56 rsa->meth = meth;
57 if (meth->init)
58 meth->init(rsa);
59 return 1;
60}
ce8b2574 61
5270e702 62RSA *RSA_new_method(ENGINE *engine)
afb638f1
MC		 63{
64 return rsa_new_intern(engine, NULL);
65}
66#endif
67
b4250010 68RSA *ossl_rsa_new_with_ctx(OSSL_LIB_CTX *libctx)
afb638f1
MC		 69{
70 return rsa_new_intern(NULL, libctx);
71}
72
b4250010 73static RSA *rsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
0f113f3e 74{
11ed851d 75 RSA *ret = OPENSSL_zalloc(sizeof(*ret));
d02b48c6 76
0f113f3e 77 if (ret == NULL) {
9311d0c4 78 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
0f113f3e
MC		 79 return NULL;
80 }
d02b48c6 81
11ed851d
F		 82 ret->references = 1;
83 ret->lock = CRYPTO_THREAD_lock_new();
84 if (ret->lock == NULL) {
9311d0c4 85 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
11ed851d
F		 86 OPENSSL_free(ret);
87 return NULL;
88 }
89
afb638f1 90 ret->libctx = libctx;
0f113f3e 91 ret->meth = RSA_get_default_method();
f844f9eb 92#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
11ed851d 93 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
0f113f3e
MC		 94 if (engine) {
95 if (!ENGINE_init(engine)) {
9311d0c4 96 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
11ed851d 97 goto err;
0f113f3e
MC		 98 }
99 ret->engine = engine;
90862ab4 100 } else {
0f113f3e 101 ret->engine = ENGINE_get_default_RSA();
90862ab4 102 }
0f113f3e
MC		 103 if (ret->engine) {
104 ret->meth = ENGINE_get_RSA(ret->engine);
7c96dbcd 105 if (ret->meth == NULL) {
9311d0c4 106 ERR_raise(ERR_LIB_RSA, ERR_R_ENGINE_LIB);
11ed851d 107 goto err;
0f113f3e
MC		 108 }
109 }
0b13e9f0 110#endif
0c9de428 111
0f113f3e 112 ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
f844f9eb 113#ifndef FIPS_MODULE
0f113f3e 114 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
11ed851d 115 goto err;
d188a536 116 }
a3327784 117#endif
d188a536
AG		 118
119 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
9311d0c4 120 ERR_raise(ERR_LIB_RSA, ERR_R_INIT_FAIL);
11ed851d 121 goto err;
0f113f3e 122 }
d188a536
AG		 123
124 return ret;
11ed851d 125
544648a8 126 err:
11ed851d
F		 127 RSA_free(ret);
128 return NULL;
0f113f3e 129}
d02b48c6 130
6b691a5c 131void RSA_free(RSA *r)
0f113f3e
MC		 132{
133 int i;
d02b48c6 134
0f113f3e
MC		 135 if (r == NULL)
136 return;
d02b48c6 137
2f545ae4 138 CRYPTO_DOWN_REF(&r->references, &i, r->lock);
f3f1cf84 139 REF_PRINT_COUNT("RSA", r);
0f113f3e
MC		 140 if (i > 0)
141 return;
f3f1cf84 142 REF_ASSERT_ISNT(i < 0);
d02b48c6 143
0c5d725e 144 if (r->meth != NULL && r->meth->finish != NULL)
0f113f3e 145 r->meth->finish(r);
f844f9eb 146#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
412bafdc 147 ENGINE_finish(r->engine);
0b13e9f0 148#endif
d02b48c6 149
f844f9eb 150#ifndef FIPS_MODULE
0f113f3e 151 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
a3327784 152#endif
7abe8305 153
d188a536
AG		 154 CRYPTO_THREAD_lock_free(r->lock);
155
c033101d
MB		 156 BN_free(r->n);
157 BN_free(r->e);
23a1d5e9
RS		 158 BN_clear_free(r->d);
159 BN_clear_free(r->p);
160 BN_clear_free(r->q);
161 BN_clear_free(r->dmp1);
162 BN_clear_free(r->dmq1);
163 BN_clear_free(r->iqmp);
4f2271d5
SL		 164
165#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
4158b0dc 166 ossl_rsa_acvp_test_free(r->acvp_test);
4f2271d5
SL		 167#endif
168
f844f9eb 169#ifndef FIPS_MODULE
d771441d 170 RSA_PSS_PARAMS_free(r->pss);
4158b0dc 171 sk_RSA_PRIME_INFO_pop_free(r->prime_infos, ossl_rsa_multip_info_free);
afb638f1 172#endif
23a1d5e9
RS		 173 BN_BLINDING_free(r->blinding);
174 BN_BLINDING_free(r->mt_blinding);
4c42ebd2 175 OPENSSL_free(r->bignum_data);
0f113f3e
MC		 176 OPENSSL_free(r);
177}
d02b48c6 178
6ac4e8bd 179int RSA_up_ref(RSA *r)
0f113f3e 180{
d188a536
AG		 181 int i;
182
2f545ae4 183 if (CRYPTO_UP_REF(&r->references, &i, r->lock) <= 0)
d188a536 184 return 0;
f3f1cf84
RS		 185
186 REF_PRINT_COUNT("RSA", r);
187 REF_ASSERT_ISNT(i < 2);
8686c474 188 return i > 1 ? 1 : 0;
0f113f3e 189}
5cbc2e8b 190
b4250010 191OSSL_LIB_CTX *ossl_rsa_get0_libctx(RSA *r)
8a758e96
RL		 192{
193 return r->libctx;
194}
195
6963979f
RL		 196void ossl_rsa_set0_libctx(RSA *r, OSSL_LIB_CTX *libctx)
197{
198 r->libctx = libctx;
199}
200
f844f9eb 201#ifndef FIPS_MODULE
dd9d233e 202int RSA_set_ex_data(RSA *r, int idx, void *arg)
0f113f3e 203{
8686c474 204 return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
0f113f3e 205}
58964a49 206
29c1f061 207void *RSA_get_ex_data(const RSA *r, int idx)
0f113f3e 208{
8686c474 209 return CRYPTO_get_ex_data(&r->ex_data, idx);
0f113f3e 210}
a3327784 211#endif
58964a49 212
97b0b713
P		 213/*
214 * Define a scaling constant for our fixed point arithmetic.
215 * This value must be a power of two because the base two logarithm code
216 * makes this assumption. The exponent must also be a multiple of three so
217 * that the scale factor has an exact cube root. Finally, the scale factor
218 * should not be so large that a multiplication of two scaled numbers
219 * overflows a 64 bit unsigned integer.
220 */
221static const unsigned int scale = 1 << 18;
222static const unsigned int cbrt_scale = 1 << (2 * 18 / 3);
223
224/* Define some constants, none exceed 32 bits */
225static const unsigned int log_2 = 0x02c5c8; /* scale * log(2) */
226static const unsigned int log_e = 0x05c551; /* scale * log2(M_E) */
227static const unsigned int c1_923 = 0x07b126; /* scale * 1.923 */
228static const unsigned int c4_690 = 0x12c28f; /* scale * 4.690 */
229
230/*
2beb004b 231 * Multiply two scaled integers together and rescale the result.
97b0b713
P		 232 */
233static ossl_inline uint64_t mul2(uint64_t a, uint64_t b)
234{
235 return a * b / scale;
236}
237
238/*
239 * Calculate the cube root of a 64 bit scaled integer.
240 * Although the cube root of a 64 bit number does fit into a 32 bit unsigned
241 * integer, this is not guaranteed after scaling, so this function has a
242 * 64 bit return. This uses the shifting nth root algorithm with some
243 * algebraic simplifications.
244 */
245static uint64_t icbrt64(uint64_t x)
246{
247 uint64_t r = 0;
248 uint64_t b;
249 int s;
250
251 for (s = 63; s >= 0; s -= 3) {
252 r <<= 1;
253 b = 3 * r * (r + 1) + 1;
254 if ((x >> s) >= b) {
255 x -= b << s;
256 r++;
257 }
258 }
259 return r * cbrt_scale;
260}
261
262/*
263 * Calculate the natural logarithm of a 64 bit scaled integer.
264 * This is done by calculating a base two logarithm and scaling.
265 * The maximum logarithm (base 2) is 64 and this reduces base e, so
266 * a 32 bit result should not overflow. The argument passed must be
267 * greater than unity so we don't need to handle negative results.
268 */
269static uint32_t ilog_e(uint64_t v)
270{
271 uint32_t i, r = 0;
272
273 /*
274 * Scale down the value into the range 1 .. 2.
275 *
276 * If fractional numbers need to be processed, another loop needs
277 * to go here that checks v < scale and if so multiplies it by 2 and
278 * reduces r by scale. This also means making r signed.
279 */
280 while (v >= 2 * scale) {
281 v >>= 1;
282 r += scale;
283 }
284 for (i = scale / 2; i != 0; i /= 2) {
285 v = mul2(v, v);
286 if (v >= 2 * scale) {
287 v >>= 1;
288 r += i;
289 }
290 }
291 r = (r * (uint64_t)scale) / log_e;
292 return r;
293}
294
295/*
296 * NIST SP 800-56B rev 2 Appendix D: Maximum Security Strength Estimates for IFC
297 * Modulus Lengths.
298 *
55f02cb6
SL		 299 * Note that this formula is also referred to in SP800-56A rev3 Appendix D:
300 * for FFC safe prime groups for modp and ffdhe.
301 * After Table 25 and Table 26 it refers to
302 * "The maximum security strength estimates were calculated using the formula in
303 * Section 7.5 of the FIPS 140 IG and rounded to the nearest multiple of eight
304 * bits".
305 *
306 * The formula is:
307 *
97b0b713
P		 308 * E = \frac{1.923 \sqrt[3]{nBits \cdot log_e(2)}
309 * \cdot(log_e(nBits \cdot log_e(2))^{2/3} - 4.69}{log_e(2)}
310 * The two cube roots are merged together here.
311 */
9500c823 312uint16_t ossl_ifc_ffc_compute_security_bits(int n)
97b0b713
P		 313{
314 uint64_t x;
315 uint32_t lx;
316 uint16_t y;
317
318 /* Look for common values as listed in SP 800-56B rev 2 Appendix D */
319 switch (n) {
320 case 2048:
321 return 112;
322 case 3072:
323 return 128;
324 case 4096:
325 return 152;
326 case 6144:
327 return 176;
328 case 8192:
329 return 200;
330 }
331 /*
332 * The first incorrect result (i.e. not accurate or off by one low) occurs
333 * for n = 699668. The true value here is 1200. Instead of using this n
334 * as the check threshold, the smallest n such that the correct result is
335 * 1200 is used instead.
336 */
337 if (n >= 687737)
338 return 1200;
339 if (n < 8)
340 return 0;
341
342 x = n * (uint64_t)log_2;
343 lx = ilog_e(x);
344 y = (uint16_t)((mul2(c1_923, icbrt64(mul2(mul2(x, lx), lx))) - c4_690)
345 / log_2);
346 return (y + 4) & ~7;
347}
348
55f02cb6
SL		 349
350
2514fa79 351int RSA_security_bits(const RSA *rsa)
0f113f3e 352{
0122add6
AP		 353 int bits = BN_num_bits(rsa->n);
354
f844f9eb 355#ifndef FIPS_MODULE
0122add6
AP		 356 if (rsa->version == RSA_ASN1_VERSION_MULTI) {
357 /* This ought to mean that we have private key at hand. */
358 int ex_primes = sk_RSA_PRIME_INFO_num(rsa->prime_infos);
359
4158b0dc 360 if (ex_primes <= 0 || (ex_primes + 2) > ossl_rsa_multip_cap(bits))
0122add6
AP		 361 return 0;
362 }
afb638f1 363#endif
9500c823 364 return ossl_ifc_ffc_compute_security_bits(bits);
0f113f3e 365}
9862e9aa
RL		 366
367int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
368{
fd809cfd 369 /* If the fields n and e in r are NULL, the corresponding input
1da12e34
RL		 370 * parameters MUST be non-NULL for n and e. d may be
371 * left NULL (in case only the public key is used).
1da12e34 372 */
b84e1226
MC		 373 if ((r->n == NULL && n == NULL)
374 || (r->e == NULL && e == NULL))
9862e9aa
RL		 375 return 0;
376
1da12e34
RL		 377 if (n != NULL) {
378 BN_free(r->n);
379 r->n = n;
380 }
381 if (e != NULL) {
382 BN_free(r->e);
383 r->e = e;
384 }
385 if (d != NULL) {
c033101d 386 BN_clear_free(r->d);
1da12e34 387 r->d = d;
311e903d 388 BN_set_flags(r->d, BN_FLG_CONSTTIME);
1da12e34 389 }
29be6023 390 r->dirty_cnt++;
9862e9aa
RL		 391
392 return 1;
393}
394
395int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
396{
fd809cfd 397 /* If the fields p and q in r are NULL, the corresponding input
1da12e34 398 * parameters MUST be non-NULL.
1da12e34 399 */
b84e1226
MC		 400 if ((r->p == NULL && p == NULL)
401 || (r->q == NULL && q == NULL))
9862e9aa
RL		 402 return 0;
403
1da12e34 404 if (p != NULL) {
c033101d 405 BN_clear_free(r->p);
1da12e34 406 r->p = p;
311e903d 407 BN_set_flags(r->p, BN_FLG_CONSTTIME);
1da12e34
RL		 408 }
409 if (q != NULL) {
c033101d 410 BN_clear_free(r->q);
1da12e34 411 r->q = q;
311e903d 412 BN_set_flags(r->q, BN_FLG_CONSTTIME);
1da12e34 413 }
29be6023 414 r->dirty_cnt++;
9862e9aa
RL		 415
416 return 1;
417}
418
419int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
420{
fd809cfd 421 /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
1da12e34 422 * parameters MUST be non-NULL.
1da12e34 423 */
b84e1226
MC		 424 if ((r->dmp1 == NULL && dmp1 == NULL)
425 || (r->dmq1 == NULL && dmq1 == NULL)
426 || (r->iqmp == NULL && iqmp == NULL))
9862e9aa
RL		 427 return 0;
428
1da12e34 429 if (dmp1 != NULL) {
c033101d 430 BN_clear_free(r->dmp1);
1da12e34 431 r->dmp1 = dmp1;
311e903d 432 BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
1da12e34
RL		 433 }
434 if (dmq1 != NULL) {
c033101d 435 BN_clear_free(r->dmq1);
1da12e34 436 r->dmq1 = dmq1;
311e903d 437 BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
1da12e34
RL		 438 }
439 if (iqmp != NULL) {
c033101d 440 BN_clear_free(r->iqmp);
1da12e34 441 r->iqmp = iqmp;
311e903d 442 BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
1da12e34 443 }
29be6023 444 r->dirty_cnt++;
9862e9aa
RL		 445
446 return 1;
447}
448
f844f9eb 449#ifndef FIPS_MODULE
665d899f
PY		 450/*
451 * Is it better to export RSA_PRIME_INFO structure
452 * and related functions to let user pass a triplet?
453 */
454int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
455 BIGNUM *coeffs[], int pnum)
456{
457 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old = NULL;
458 RSA_PRIME_INFO *pinfo;
459 int i;
460
461 if (primes == NULL || exps == NULL || coeffs == NULL || pnum == 0)
462 return 0;
463
464 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
465 if (prime_infos == NULL)
466 return 0;
467
468 if (r->prime_infos != NULL)
469 old = r->prime_infos;
470
471 for (i = 0; i < pnum; i++) {
4158b0dc 472 pinfo = ossl_rsa_multip_info_new();
665d899f
PY		 473 if (pinfo == NULL)
474 goto err;
475 if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
d2baf88c
CPG		 476 BN_clear_free(pinfo->r);
477 BN_clear_free(pinfo->d);
478 BN_clear_free(pinfo->t);
665d899f
PY		 479 pinfo->r = primes[i];
480 pinfo->d = exps[i];
481 pinfo->t = coeffs[i];
d2baf88c
CPG		 482 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
483 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
484 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
665d899f 485 } else {
4158b0dc 486 ossl_rsa_multip_info_free(pinfo);
665d899f
PY		 487 goto err;
488 }
489 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
490 }
491
492 r->prime_infos = prime_infos;
493
4158b0dc 494 if (!ossl_rsa_multip_calc_product(r)) {
665d899f
PY		 495 r->prime_infos = old;
496 goto err;
497 }
498
499 if (old != NULL) {
500 /*
501 * This is hard to deal with, since the old infos could
502 * also be set by this function and r, d, t should not
503 * be freed in that case. So currently, stay consistent
504 * with other *set0* functions: just free it...
505 */
4158b0dc 506 sk_RSA_PRIME_INFO_pop_free(old, ossl_rsa_multip_info_free);
665d899f
PY		 507 }
508
509 r->version = RSA_ASN1_VERSION_MULTI;
29be6023 510 r->dirty_cnt++;
665d899f
PY		 511
512 return 1;
513 err:
514 /* r, d, t should not be freed */
4158b0dc 515 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
665d899f
PY		 516 return 0;
517}
afb638f1 518#endif
665d899f 519
fd809cfd
RL		 520void RSA_get0_key(const RSA *r,
521 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
9862e9aa
RL		 522{
523 if (n != NULL)
524 *n = r->n;
525 if (e != NULL)
526 *e = r->e;
527 if (d != NULL)
528 *d = r->d;
529}
530
fd809cfd 531void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
9862e9aa
RL		 532{
533 if (p != NULL)
534 *p = r->p;
535 if (q != NULL)
536 *q = r->q;
537}
538
f844f9eb 539#ifndef FIPS_MODULE
665d899f
PY		 540int RSA_get_multi_prime_extra_count(const RSA *r)
541{
542 int pnum;
543
544 pnum = sk_RSA_PRIME_INFO_num(r->prime_infos);
545 if (pnum <= 0)
546 pnum = 0;
547 return pnum;
548}
549
550int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[])
551{
552 int pnum, i;
553 RSA_PRIME_INFO *pinfo;
554
555 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
556 return 0;
557
558 /*
559 * return other primes
560 * it's caller's responsibility to allocate oth_primes[pnum]
561 */
562 for (i = 0; i < pnum; i++) {
563 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
564 primes[i] = pinfo->r;
565 }
566
567 return 1;
568}
afb638f1 569#endif
665d899f 570
9862e9aa 571void RSA_get0_crt_params(const RSA *r,
fd809cfd
RL		 572 const BIGNUM **dmp1, const BIGNUM **dmq1,
573 const BIGNUM **iqmp)
9862e9aa
RL		 574{
575 if (dmp1 != NULL)
576 *dmp1 = r->dmp1;
577 if (dmq1 != NULL)
578 *dmq1 = r->dmq1;
579 if (iqmp != NULL)
580 *iqmp = r->iqmp;
581}
582
f844f9eb 583#ifndef FIPS_MODULE
665d899f
PY		 584int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
585 const BIGNUM *coeffs[])
586{
587 int pnum;
588
589 if ((pnum = RSA_get_multi_prime_extra_count(r)) == 0)
590 return 0;
591
592 /* return other primes */
593 if (exps != NULL || coeffs != NULL) {
594 RSA_PRIME_INFO *pinfo;
595 int i;
596
597 /* it's the user's job to guarantee the buffer length */
598 for (i = 0; i < pnum; i++) {
599 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
600 if (exps != NULL)
601 exps[i] = pinfo->d;
602 if (coeffs != NULL)
603 coeffs[i] = pinfo->t;
604 }
605 }
606
607 return 1;
608}
afb638f1 609#endif
665d899f 610
6692ff77
DMSP		 611const BIGNUM *RSA_get0_n(const RSA *r)
612{
613 return r->n;
614}
615
616const BIGNUM *RSA_get0_e(const RSA *r)
617{
618 return r->e;
619}
620
621const BIGNUM *RSA_get0_d(const RSA *r)
622{
623 return r->d;
624}
625
626const BIGNUM *RSA_get0_p(const RSA *r)
627{
628 return r->p;
629}
630
631const BIGNUM *RSA_get0_q(const RSA *r)
632{
633 return r->q;
634}
635
636const BIGNUM *RSA_get0_dmp1(const RSA *r)
637{
638 return r->dmp1;
639}
640
641const BIGNUM *RSA_get0_dmq1(const RSA *r)
642{
643 return r->dmq1;
644}
645
646const BIGNUM *RSA_get0_iqmp(const RSA *r)
647{
648 return r->iqmp;
649}
650
677add38
RL		 651const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r)
652{
15671090
RL		 653#ifdef FIPS_MODULE
654 return NULL;
655#else
677add38 656 return r->pss;
15671090
RL		 657#endif
658}
659
660/* Internal */
23b2fc0b 661RSA_PSS_PARAMS_30 *ossl_rsa_get0_pss_params_30(RSA *r)
15671090
RL		 662{
663 return &r->pss_params;
677add38
RL		 664}
665
9862e9aa
RL		 666void RSA_clear_flags(RSA *r, int flags)
667{
668 r->flags &= ~flags;
669}
670
671int RSA_test_flags(const RSA *r, int flags)
672{
673 return r->flags & flags;
674}
675
676void RSA_set_flags(RSA *r, int flags)
677{
678 r->flags |= flags;
679}
680
665d899f
PY		 681int RSA_get_version(RSA *r)
682{
683 /* { two-prime(0), multi(1) } */
684 return r->version;
685}
686
f844f9eb 687#ifndef FIPS_MODULE
e0685d24 688ENGINE *RSA_get0_engine(const RSA *r)
9862e9aa
RL		 689{
690 return r->engine;
691}
e5e04ee3
DSH		 692
693int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2)
694{
695 /* If key type not RSA or RSA-PSS return error */
696 if (ctx != NULL && ctx->pmeth != NULL
697 && ctx->pmeth->pkey_id != EVP_PKEY_RSA
698 && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS)
699 return -1;
700 return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
701}
afb638f1 702#endif
c3a4fa4c
RL		 703
704DEFINE_STACK_OF(BIGNUM)
705
23b2fc0b
P		 706int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
707 const STACK_OF(BIGNUM) *exps,
708 const STACK_OF(BIGNUM) *coeffs)
c3a4fa4c 709{
f844f9eb 710#ifndef FIPS_MODULE
c3a4fa4c 711 STACK_OF(RSA_PRIME_INFO) *prime_infos, *old_infos = NULL;
afb638f1 712#endif
c3a4fa4c
RL		 713 int pnum;
714
715 if (primes == NULL || exps == NULL || coeffs == NULL)
716 return 0;
717
718 pnum = sk_BIGNUM_num(primes);
719 if (pnum < 2
720 || pnum != sk_BIGNUM_num(exps)
721 || pnum != sk_BIGNUM_num(coeffs) + 1)
722 return 0;
723
724 if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
725 sk_BIGNUM_value(primes, 1))
726 || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
727 sk_BIGNUM_value(exps, 1),
728 sk_BIGNUM_value(coeffs, 0)))
729 return 0;
730
f844f9eb 731#ifndef FIPS_MODULE
c3a4fa4c 732 old_infos = r->prime_infos;
afb638f1 733#endif
c3a4fa4c
RL		 734
735 if (pnum > 2) {
f844f9eb 736#ifndef FIPS_MODULE
c3a4fa4c
RL		 737 int i;
738
739 prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
740 if (prime_infos == NULL)
741 return 0;
742
743 for (i = 2; i < pnum; i++) {
744 BIGNUM *prime = sk_BIGNUM_value(primes, i);
745 BIGNUM *exp = sk_BIGNUM_value(exps, i);
746 BIGNUM *coeff = sk_BIGNUM_value(coeffs, i - 1);
747 RSA_PRIME_INFO *pinfo = NULL;
748
749 if (!ossl_assert(prime != NULL && exp != NULL && coeff != NULL))
750 goto err;
751
4158b0dc 752 /* Using ossl_rsa_multip_info_new() is wasteful, so allocate directly */
c3a4fa4c
RL		 753 if ((pinfo = OPENSSL_zalloc(sizeof(*pinfo))) == NULL) {
754 ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
755 goto err;
756 }
757
758 pinfo->r = prime;
759 pinfo->d = exp;
760 pinfo->t = coeff;
761 BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
762 BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
763 BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
764 (void)sk_RSA_PRIME_INFO_push(prime_infos, pinfo);
765 }
766
767 r->prime_infos = prime_infos;
768
4158b0dc 769 if (!ossl_rsa_multip_calc_product(r)) {
c3a4fa4c
RL		 770 r->prime_infos = old_infos;
771 goto err;
772 }
afb638f1
MC		 773#else
774 return 0;
775#endif
c3a4fa4c
RL		 776 }
777
f844f9eb 778#ifndef FIPS_MODULE
c3a4fa4c
RL		 779 if (old_infos != NULL) {
780 /*
781 * This is hard to deal with, since the old infos could
782 * also be set by this function and r, d, t should not
783 * be freed in that case. So currently, stay consistent
784 * with other *set0* functions: just free it...
785 */
4158b0dc 786 sk_RSA_PRIME_INFO_pop_free(old_infos, ossl_rsa_multip_info_free);
c3a4fa4c 787 }
afb638f1 788#endif
c3a4fa4c
RL		 789
790 r->version = pnum > 2 ? RSA_ASN1_VERSION_MULTI : RSA_ASN1_VERSION_DEFAULT;
791 r->dirty_cnt++;
792
793 return 1;
f844f9eb 794#ifndef FIPS_MODULE
c3a4fa4c
RL		 795 err:
796 /* r, d, t should not be freed */
4158b0dc 797 sk_RSA_PRIME_INFO_pop_free(prime_infos, ossl_rsa_multip_info_free_ex);
c3a4fa4c 798 return 0;
afb638f1 799#endif
c3a4fa4c
RL		 800}
801
802DEFINE_SPECIAL_STACK_OF_CONST(BIGNUM_const, BIGNUM)
803
23b2fc0b
P		 804int ossl_rsa_get0_all_params(RSA *r, STACK_OF(BIGNUM_const) *primes,
805 STACK_OF(BIGNUM_const) *exps,
806 STACK_OF(BIGNUM_const) *coeffs)
c3a4fa4c 807{
f844f9eb 808#ifndef FIPS_MODULE
c3a4fa4c
RL		 809 RSA_PRIME_INFO *pinfo;
810 int i, pnum;
afb638f1 811#endif
c3a4fa4c
RL		 812
813 if (r == NULL)
814 return 0;
815
a9127c1d
RL		 816 /* If |p| is NULL, there are no CRT parameters */
817 if (RSA_get0_p(r) == NULL)
818 return 1;
819
c3a4fa4c
RL		 820 sk_BIGNUM_const_push(primes, RSA_get0_p(r));
821 sk_BIGNUM_const_push(primes, RSA_get0_q(r));
822 sk_BIGNUM_const_push(exps, RSA_get0_dmp1(r));
823 sk_BIGNUM_const_push(exps, RSA_get0_dmq1(r));
824 sk_BIGNUM_const_push(coeffs, RSA_get0_iqmp(r));
afb638f1 825
f844f9eb 826#ifndef FIPS_MODULE
afb638f1 827 pnum = RSA_get_multi_prime_extra_count(r);
c3a4fa4c
RL		 828 for (i = 0; i < pnum; i++) {
829 pinfo = sk_RSA_PRIME_INFO_value(r->prime_infos, i);
830 sk_BIGNUM_const_push(primes, pinfo->r);
831 sk_BIGNUM_const_push(exps, pinfo->d);
832 sk_BIGNUM_const_push(coeffs, pinfo->t);
833 }
afb638f1 834#endif
c3a4fa4c
RL		 835
836 return 1;
837}
89abd1b6 838
f844f9eb 839#ifndef FIPS_MODULE
13f91a72
RL		 840/* Helpers to set or get diverse hash algorithm names */
841static int int_set_rsa_md_name(EVP_PKEY_CTX *ctx,
842 /* For checks */
843 int keytype, int optype,
844 /* For EVP_PKEY_CTX_set_params() */
845 const char *mdkey, const char *mdname,
846 const char *propkey, const char *mdprops)
89abd1b6 847{
13f91a72 848 OSSL_PARAM params[3], *p = params;
89abd1b6 849
13f91a72 850 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
89abd1b6
MC		 851 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
852 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
853 return -2;
854 }
855
13f91a72
RL		 856 /* If key type not RSA return error */
857 switch (keytype) {
858 case -1:
859 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
860 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
861 return -1;
862 break;
863 default:
864 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
865 return -1;
866 break;
867 }
89abd1b6 868
13f91a72
RL		 869 /* Cast away the const. This is read only so should be safe */
870 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, 0);
871 if (evp_pkey_ctx_is_provided(ctx) && mdprops != NULL) {
872 /* Cast away the const. This is read only so should be safe */
873 *p++ = OSSL_PARAM_construct_utf8_string(propkey, (char *)mdprops, 0);
874 }
89abd1b6
MC		 875 *p++ = OSSL_PARAM_construct_end();
876
13f91a72 877 return evp_pkey_ctx_set_params_strict(ctx, params);
89abd1b6
MC		 878}
879
13f91a72
RL		 880/* Helpers to set or get diverse hash algorithm names */
881static int int_get_rsa_md_name(EVP_PKEY_CTX *ctx,
882 /* For checks */
883 int keytype, int optype,
884 /* For EVP_PKEY_CTX_get_params() */
885 const char *mdkey,
886 char *mdname, size_t mdnamesize)
89abd1b6 887{
13f91a72 888 OSSL_PARAM params[2], *p = params;
89abd1b6 889
13f91a72 890 if (ctx == NULL || mdname == NULL || (ctx->operation & optype) == 0) {
89abd1b6
MC		 891 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
892 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
893 return -2;
894 }
895
13f91a72
RL		 896 /* If key type not RSA return error */
897 switch (keytype) {
898 case -1:
899 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
900 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
901 return -1;
902 break;
903 default:
904 if (!EVP_PKEY_CTX_is_a(ctx, evp_pkey_type2name(keytype)))
905 return -1;
906 break;
907 }
89abd1b6 908
13f91a72
RL		 909 /* Cast away the const. This is read only so should be safe */
910 *p++ = OSSL_PARAM_construct_utf8_string(mdkey, (char *)mdname, mdnamesize);
89abd1b6
MC		 911 *p++ = OSSL_PARAM_construct_end();
912
13f91a72
RL		 913 return evp_pkey_ctx_get_params_strict(ctx, params);
914}
89abd1b6 915
13f91a72
RL		 916/*
917 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
918 * simply because that's easier.
919 * TODO(3.0) Should this be deprecated?
920 */
921int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad_mode)
922{
923 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING,
924 pad_mode, NULL);
925}
89abd1b6 926
13f91a72
RL		 927/*
928 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
929 * simply because that's easier.
930 * TODO(3.0) Should this be deprecated?
931 */
932int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad_mode)
933{
934 return RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,
935 0, pad_mode);
89abd1b6
MC		 936}
937
13f91a72
RL		 938/*
939 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
940 * simply because that's easier.
941 * TODO(3.0) Should this be deprecated in favor of passing a name?
942 */
e947a064
DB		 943int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
944{
13f91a72
RL		 945 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
946 EVP_PKEY_CTRL_MD, 0, (void *)(md));
e947a064
DB		 947}
948
949int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx,
950 const char *mdname,
951 const char *mdprops)
952{
13f91a72
RL		 953 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
954 OSSL_PKEY_PARAM_RSA_DIGEST, mdname,
955 OSSL_PKEY_PARAM_RSA_DIGEST_PROPS, mdprops);
e947a064
DB		 956}
957
13f91a72
RL		 958/*
959 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
960 * simply because that's easier.
961 * TODO(3.0) Should this be deprecated in favor of passing a name?
962 */
89abd1b6
MC		 963int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
964{
13f91a72
RL		 965 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
966 EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md));
89abd1b6
MC		 967}
968
969int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
970 const char *mdprops)
971{
13f91a72
RL		 972 return
973 int_set_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
974 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, mdname,
975 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, mdprops);
89abd1b6
MC		 976}
977
978int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
13f91a72 979 size_t namesize)
89abd1b6 980{
13f91a72
RL		 981 return int_get_rsa_md_name(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
982 OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST,
983 name, namesize);
89abd1b6
MC		 984}
985
13f91a72
RL		 986/*
987 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
988 * simply because that's easier.
989 * TODO(3.0) Should this be deprecated in favor of getting a name?
990 */
89abd1b6
MC		 991int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
992{
13f91a72
RL		 993 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
994 EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
89abd1b6
MC		 995}
996
13f91a72
RL		 997/*
998 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
999 * simply because that's easier.
1000 * TODO(3.0) Should this be deprecated in favor of passing a name?
1001 */
1002int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
89abd1b6 1003{
13f91a72
RL		 1004 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1005 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
89abd1b6
MC		 1006}
1007
13f91a72
RL		 1008int EVP_PKEY_CTX_set_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
1009 const char *mdprops)
e25761b1 1010{
13f91a72 1011 return int_set_rsa_md_name(ctx, -1,
e25761b1 1012 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
13f91a72
RL		 1013 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
1014 OSSL_PKEY_PARAM_MGF1_PROPERTIES, mdprops);
e25761b1
RL		 1015}
1016
13f91a72
RL		 1017int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
1018 size_t namesize)
e25761b1 1019{
13f91a72 1020 return int_get_rsa_md_name(ctx, -1,
e25761b1 1021 EVP_PKEY_OP_TYPE_CRYPT | EVP_PKEY_OP_TYPE_SIG,
13f91a72 1022 OSSL_PKEY_PARAM_MGF1_DIGEST, name, namesize);
e25761b1
RL		 1023}
1024
13f91a72
RL		 1025/*
1026 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1027 * simply because that's easier.
1028 * TODO(3.0) Should this be deprecated in favor of passing a name?
1029 */
e25761b1
RL		 1030int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
1031{
13f91a72
RL		 1032 return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
1033 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md));
e25761b1
RL		 1034}
1035
1036int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name(EVP_PKEY_CTX *ctx,
1037 const char *mdname)
1038{
13f91a72
RL		 1039 return int_set_rsa_md_name(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
1040 OSSL_PKEY_PARAM_MGF1_DIGEST, mdname,
1041 NULL, NULL);
89abd1b6
MC		 1042}
1043
13f91a72
RL		 1044/*
1045 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1046 * simply because that's easier.
1047 * TODO(3.0) Should this be deprecated in favor of getting a name?
1048 */
89abd1b6
MC		 1049int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
1050{
13f91a72
RL		 1051 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
1052 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(md));
89abd1b6
MC		 1053}
1054
1055int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
1056{
1057 OSSL_PARAM rsa_params[2], *p = rsa_params;
1058
1059 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1060 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1061 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1062 return -2;
1063 }
1064
1065 /* If key type not RSA return error */
13f91a72 1066 if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
89abd1b6
MC		 1067 return -1;
1068
13f91a72 1069 /* Cast away the const. This is read only so should be safe */
89abd1b6 1070 *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
13f91a72 1071 (void *)label, (size_t)llen);
89abd1b6
MC		 1072 *p++ = OSSL_PARAM_construct_end();
1073
13f91a72 1074 if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params))
89abd1b6
MC		 1075 return 0;
1076
da9988e0 1077 /* Ownership is supposed to be transfered to the callee. */
89abd1b6
MC		 1078 OPENSSL_free(label);
1079 return 1;
1080}
1081
1082int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label)
1083{
ba0a6d1d 1084 OSSL_PARAM rsa_params[2], *p = rsa_params;
89abd1b6
MC		 1085 size_t labellen;
1086
1087 if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
1088 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1089 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1090 return -2;
1091 }
1092
1093 /* If key type not RSA return error */
13f91a72 1094 if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
89abd1b6
MC		 1095 return -1;
1096
89abd1b6
MC		 1097 *p++ = OSSL_PARAM_construct_octet_ptr(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
1098 (void **)label, 0);
89abd1b6
MC		 1099 *p++ = OSSL_PARAM_construct_end();
1100
1101 if (!EVP_PKEY_CTX_get_params(ctx, rsa_params))
1102 return -1;
1103
ba0a6d1d 1104 labellen = rsa_params[0].return_size;
89abd1b6
MC		 1105 if (labellen > INT_MAX)
1106 return -1;
1107
1108 return (int)labellen;
1109}
6f4b7663 1110
13f91a72
RL		 1111/*
1112 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1113 * simply because that's easier.
1114 */
e25761b1
RL		 1115int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
1116{
13f91a72
RL		 1117 /*
1118 * For some reason, the optype was set to this:
1119 *
1120 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
1121 *
1122 * However, we do use RSA-PSS with the whole gamut of diverse signature
1123 * and verification operations, so the optype gets upgraded to this:
1124 *
1125 * EVP_PKEY_OP_TYPE_SIG
1126 */
1127 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
1128 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltlen, NULL);
e25761b1
RL		 1129}
1130
13f91a72
RL		 1131/*
1132 * This one is currently implemented as an EVP_PKEY_CTX_ctrl() wrapper,
1133 * simply because that's easier.
1134 */
1135int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen)
e25761b1 1136{
13f91a72
RL		 1137 /*
1138 * Because of circumstances, the optype is updated from:
1139 *
1140 * EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY
1141 *
1142 * to:
1143 *
1144 * EVP_PKEY_OP_TYPE_SIG
1145 */
1146 return RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG,
1147 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, saltlen);
e25761b1
RL		 1148}
1149
13f91a72 1150int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen)
6f4b7663
RL		 1151{
1152 OSSL_PARAM pad_params[2], *p = pad_params;
1153
13f91a72 1154 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
6f4b7663
RL		 1155 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1156 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1157 return -2;
1158 }
1159
13f91a72 1160 if (!EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
6f4b7663
RL		 1161 return -1;
1162
13f91a72
RL		 1163 *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN,
1164 &saltlen);
6f4b7663
RL		 1165 *p++ = OSSL_PARAM_construct_end();
1166
13f91a72 1167 return evp_pkey_ctx_set_params_strict(ctx, pad_params);
6f4b7663 1168}
2972af10
RL		 1169
1170int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits)
1171{
1172 OSSL_PARAM params[2], *p = params;
1173 size_t bits2 = bits;
1174
1175 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1176 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1177 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1178 return -2;
1179 }
1180
1181 /* If key type not RSA return error */
13f91a72
RL		 1182 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
1183 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
2972af10
RL		 1184 return -1;
1185
2972af10
RL		 1186 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits2);
1187 *p++ = OSSL_PARAM_construct_end();
1188
13f91a72 1189 return evp_pkey_ctx_set_params_strict(ctx, params);
2972af10
RL		 1190}
1191
13f91a72 1192int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
2972af10 1193{
13f91a72 1194 int ret = RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN,
3786d748 1195 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
3786d748 1196
1197 /*
1198 * Satisfy memory semantics for pre-3.0 callers of
1199 * EVP_PKEY_CTX_set_rsa_keygen_pubexp(): their expectation is that input
1200 * pubexp BIGNUM becomes managed by the EVP_PKEY_CTX on success.
1201 */
13f91a72
RL		 1202 if (ret > 0 && evp_pkey_ctx_is_provided(ctx)) {
1203 BN_free(ctx->rsa_pubexp);
3786d748 1204 ctx->rsa_pubexp = pubexp;
13f91a72 1205 }
3786d748 1206
2972af10
RL		 1207 return ret;
1208}
1209
3786d748 1210int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp)
1211{
13f91a72
RL		 1212 int ret = 0;
1213
1214 /*
1215 * When we're dealing with a provider, there's no need to duplicate
1216 * pubexp, as it gets copied when transforming to an OSSL_PARAM anyway.
1217 */
1218 if (evp_pkey_ctx_is_legacy(ctx))
1219 pubexp = BN_dup(pubexp);
1220 ret = EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,
1221 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp);
1222 if (evp_pkey_ctx_is_legacy(ctx) && ret <= 0)
1223 BN_free(pubexp);
1224 return ret;
3786d748 1225}
1226
2972af10
RL		 1227int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes)
1228{
1229 OSSL_PARAM params[2], *p = params;
1230 size_t primes2 = primes;
1231
1232 if (ctx == NULL || !EVP_PKEY_CTX_IS_GEN_OP(ctx)) {
1233 ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
1234 /* Uses the same return values as EVP_PKEY_CTX_ctrl */
1235 return -2;
1236 }
1237
1238 /* If key type not RSA return error */
13f91a72
RL		 1239 if (!EVP_PKEY_CTX_is_a(ctx, "RSA")
1240 && !EVP_PKEY_CTX_is_a(ctx, "RSA-PSS"))
2972af10
RL		 1241 return -1;
1242
2972af10
RL		 1243 *p++ = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_PRIMES, &primes2);
1244 *p++ = OSSL_PARAM_construct_end();
1245
13f91a72 1246 return evp_pkey_ctx_set_params_strict(ctx, params);
2972af10 1247}
afb638f1 1248#endif
A mirror of the official openssl repository